Create a logic app trigger "When an Azure Sentinel Incident is Created"
It would be great to have a trigger in the Azure Sentinel connector when a new Azure Sentinel incident is created.
This way we could integrate and automate with the other Microsoft security products (MCAS,WDATP,Azure ATP, etc.) and also with an ITSM tool like Service Now.
The idea is to have a playbook run automatically whenever a new incident is created in Sentinel to:
- create an incident in Service Now
- send an email notification
further we could expand to automatically close the SNOW incident and the corresponding alert in whichever product (MCAS,WDATP, etc.) when the Azure Sentinel incident's status is changed to Closed.
This way you would really have a single pane of glass to manage all alerts from all MS security products and integrate with an ITSM tool.

9 comments
-
Luiz commented
I am facing the same problem. Just to confirm, while I am with (Private View only), I am unable to use in the Sentinel? It is?
Do you have any indication not to send email when the alert is created, but an incident is already open and the alert is grouped for that incident?
I am getting created creation emails, but they are being grouped together in the same incident, so they are not considered new incidents for dealing with time.
As the e-mail is sent for ticket management, more than one incident is created, however, no new incidents were created, rather, alerts grouped in the same incident.
I would be grateful for some kind of help.
-
Pinku Rajbongshi commented
Currently we need to go to each product and close the incident like in ATP, MDATP, MCAS, AIP,ASC,AADIP. So if the capability of automatic closer of incident in the individual product after closing the incident in Sentinel it will be great help.
-
Bjorn commented
Doing this with automated response removes the automated response capability from Sentinel.
At the moment we can only choose 1(!) logic app as a response. So I can integrate Sentinel with another ticket system, or I can protect my assets.
I don't want to have to nest my logic apps for every rule.
It's an easy fix. Just let us choose more than 1 playbook at a time. -
Kevin K. Kragh commented
We're also missing this feature atm.
Would be nice if this got some attention. -
Cris commented
@anonymous - That is exactly the idea, to have that trigger available for all alert types, not only scheduled rules.
@truekonrads - this can be achieved through Microsoft Graph (we're already using it) but this is a workaround, it would be great to have it built into Sentinel
-
Anonymous commented
This would be useful!
-
Anonymous commented
Tiander, that will only work for Scheduled rules. I believe the intent of this request is to have it available no matter what type of alert is generating the alert.
If I can also add an additional request, it would be great to have this work on edits as well
-
Tiander Turpijn commented
This is already available (in preview). You can create a Logic App Playbook and use the Sentinel trigger, then add any actions (like create a Service Now ticket, or interacting with MCAS, etc.). When creating a Sentinel analytics rule, you can add the playbook as an automated response. You will only see and can only add playbooks which will have the Sentinel trigger as the first step in the playbook.
-
Gunjan commented
How should I create a scheduled analytic which can iterate on security alerts. Can you please help